From f15b3aa23dcb24afb802c6b5eb2ef2f3998977cf Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sat, 1 Apr 2023 21:05:20 +0200
Subject: [PATCH] modules: services: woodpecker: allow setuid

I need it to be able to use `ssh-agent`, for some of my workflows.
---
 modules/services/woodpecker/agent-exec/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/modules/services/woodpecker/agent-exec/default.nix b/modules/services/woodpecker/agent-exec/default.nix
index 743dfbb..0fa8f0a 100644
--- a/modules/services/woodpecker/agent-exec/default.nix
+++ b/modules/services/woodpecker/agent-exec/default.nix
@@ -45,6 +45,9 @@ in
       ];
 
       serviceConfig = {
+        # Same option as upstream, without @setuid
+        SystemCallFilter = lib.mkForce "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap";
+
         BindPaths = [
           "/nix/var/nix/daemon-socket/socket"
           "/run/nscd/socket"